@promptcellar/pc 0.4.0 → 0.5.0

package/src/commands/setup.js

@@ -6,7 +6,7 @@ import { homedir } from 'os';
 import { execFileSync } from 'child_process';
 
 // Config paths
-const CLAUDE_HOOKS_PATH = join(homedir(), '.claude', 'hooks.json');
+const CLAUDE_SETTINGS_PATH = join(homedir(), '.claude', 'settings.json');
 const CODEX_CONFIG_PATH = join(homedir(), '.codex', 'config.toml');
 const GEMINI_SETTINGS_PATH = join(homedir(), '.gemini', 'settings.json');
 
@@ -37,11 +37,11 @@ function detectInstalledTools() {
   return tools;
 }
 
-// Claude Code hooks
-function getClaudeHooksConfig() {
-  if (existsSync(CLAUDE_HOOKS_PATH)) {
+// Claude Code settings (hooks are in settings.json under "hooks" key)
+function getClaudeSettings() {
+  if (existsSync(CLAUDE_SETTINGS_PATH)) {
     try {
-      return JSON.parse(readFileSync(CLAUDE_HOOKS_PATH, 'utf8'));
+      return JSON.parse(readFileSync(CLAUDE_SETTINGS_PATH, 'utf8'));
     } catch {
       return {};
     }
@@ -49,18 +49,18 @@ function getClaudeHooksConfig() {
   return {};
 }
 
-function saveClaudeHooksConfig(config) {
-  const dir = dirname(CLAUDE_HOOKS_PATH);
+function saveClaudeSettings(settings) {
+  const dir = dirname(CLAUDE_SETTINGS_PATH);
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true });
   }
-  writeFileSync(CLAUDE_HOOKS_PATH, JSON.stringify(config, null, 2));
+  writeFileSync(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
 }
 
-function isClaudeHookInstalled(config) {
-  const stopHooks = config.Stop || [];
-  return stopHooks.some(hook =>
-    hook.command && hook.command.includes(HOOK_SCRIPT_NAME)
+function isClaudeHookInstalled(settings) {
+  const matchers = settings.hooks?.UserPromptSubmit || [];
+  return matchers.some(matcher =>
+    matcher.hooks?.some(hook => hook.command?.includes(HOOK_SCRIPT_NAME))
   );
 }
 
@@ -101,7 +101,7 @@ function getGeminiSettings() {
 }
 
 function isGeminiHookInstalled(settings) {
-  const hooks = settings.hooks?.AfterAgent || [];
+  const hooks = settings.hooks?.BeforeAgent || [];
   return hooks.some(h =>
     h.hooks?.some(hook => hook.command?.includes('pc-gemini-capture'))
   );
@@ -167,9 +167,9 @@ export async function setup() {
 async function setupClaudeCode() {
   console.log(chalk.cyan('\nConfiguring Claude Code...'));
 
-  const config = getClaudeHooksConfig();
+  const settings = getClaudeSettings();
 
-  if (isClaudeHookInstalled(config)) {
+  if (isClaudeHookInstalled(settings)) {
     console.log(chalk.yellow('  Hook already installed.'));
 
     const { reinstall } = await inquirer.prompt([{
@@ -183,23 +183,30 @@ async function setupClaudeCode() {
       return;
     }
 
-    // Remove existing hook
-    config.Stop = (config.Stop || []).filter(hook =>
-      !hook.command || !hook.command.includes(HOOK_SCRIPT_NAME)
+    // Remove existing hook matchers that contain our hook
+    settings.hooks.UserPromptSubmit = (settings.hooks.UserPromptSubmit || []).filter(matcher =>
+      !matcher.hooks?.some(hook => hook.command?.includes(HOOK_SCRIPT_NAME))
     );
   }
 
-  // Add the hook
-  if (!config.Stop) {
-    config.Stop = [];
+  // Ensure hooks.UserPromptSubmit exists
+  if (!settings.hooks) {
+    settings.hooks = {};
+  }
+  if (!settings.hooks.UserPromptSubmit) {
+    settings.hooks.UserPromptSubmit = [];
   }
 
-  config.Stop.push({
-    command: `pc-capture`,
-    description: 'Capture prompts to PromptCellar'
+  // Add the UserPromptSubmit hook
+  settings.hooks.UserPromptSubmit.push({
+    matcher: '*',
+    hooks: [{
+      type: 'command',
+      command: 'pc-capture'
+    }]
   });
 
-  saveClaudeHooksConfig(config);
+  saveClaudeSettings(settings);
   console.log(chalk.green('  Hook installed successfully.'));
 }
 
@@ -272,28 +279,22 @@ async function setupGemini() {
     }
 
     // Remove existing hook
-    if (settings.hooks?.AfterAgent) {
-      settings.hooks.AfterAgent = settings.hooks.AfterAgent.filter(h =>
+    if (settings.hooks?.BeforeAgent) {
+      settings.hooks.BeforeAgent = settings.hooks.BeforeAgent.filter(h =>
         !h.hooks?.some(hook => hook.command?.includes('pc-gemini-capture'))
       );
     }
   }
 
-  // Ensure hooks are enabled
-  if (!settings.hooksConfig) {
-    settings.hooksConfig = {};
-  }
-  settings.hooksConfig.enabled = true;
-
-  // Add the AfterAgent hook
+  // Add the BeforeAgent hook
   if (!settings.hooks) {
     settings.hooks = {};
   }
-  if (!settings.hooks.AfterAgent) {
-    settings.hooks.AfterAgent = [];
+  if (!settings.hooks.BeforeAgent) {
+    settings.hooks.BeforeAgent = [];
   }
 
-  settings.hooks.AfterAgent.push({
+  settings.hooks.BeforeAgent.push({
     matcher: '*',
     hooks: [{
       name: 'promptcellar-capture',
@@ -313,12 +314,12 @@ export async function unsetup() {
   let removed = false;
 
   // Remove Claude hook
-  const claudeConfig = getClaudeHooksConfig();
-  if (isClaudeHookInstalled(claudeConfig)) {
-    claudeConfig.Stop = (claudeConfig.Stop || []).filter(hook =>
-      !hook.command || !hook.command.includes(HOOK_SCRIPT_NAME)
+  const claudeSettings = getClaudeSettings();
+  if (isClaudeHookInstalled(claudeSettings)) {
+    claudeSettings.hooks.UserPromptSubmit = (claudeSettings.hooks.UserPromptSubmit || []).filter(matcher =>
+      !matcher.hooks?.some(hook => hook.command?.includes(HOOK_SCRIPT_NAME))
     );
-    saveClaudeHooksConfig(claudeConfig);
+    saveClaudeSettings(claudeSettings);
     console.log(chalk.green('  Removed Claude Code hook.'));
     removed = true;
   }
@@ -339,8 +340,8 @@ export async function unsetup() {
   // Remove Gemini hook
   const geminiSettings = getGeminiSettings();
   if (isGeminiHookInstalled(geminiSettings)) {
-    if (geminiSettings.hooks?.AfterAgent) {
-      geminiSettings.hooks.AfterAgent = geminiSettings.hooks.AfterAgent.filter(h =>
+    if (geminiSettings.hooks?.BeforeAgent) {
+      geminiSettings.hooks.BeforeAgent = geminiSettings.hooks.BeforeAgent.filter(h =>
         !h.hooks?.some(hook => hook.command?.includes('pc-gemini-capture'))
       );
     }

package/src/commands/status.js

@@ -2,6 +2,7 @@ import chalk from 'chalk';
 import { isLoggedIn, getApiUrl, getCaptureLevel, getSessionId } from '../lib/config.js';
 import { testConnection } from '../lib/api.js';
 import { getGitContext } from '../lib/context.js';
+import { loadVaultKey } from '../lib/keychain.js';
 
 export async function status() {
   console.log(chalk.bold('\nPromptCellar CLI Status\n'));
@@ -21,6 +22,16 @@ export async function status() {
   // Capture level
   console.log(`  Capture level: ${chalk.cyan(getCaptureLevel())}`);
 
+  // Vault status
+  const vaultKey = await loadVaultKey();
+  if (vaultKey) {
+    console.log(`  Vault: ${chalk.green('configured')}`);
+  } else if (isLoggedIn()) {
+    console.log(`  Vault: ${chalk.yellow('key missing')} - run pc login`);
+  } else {
+    console.log(`  Vault: ${chalk.yellow('not configured')} - capture disabled`);
+  }
+
   // Session ID
   console.log(`  Session ID: ${chalk.dim(getSessionId().slice(0, 8))}...`);
 

package/src/lib/config.js

@@ -1,3 +1,4 @@
+import { randomUUID } from 'node:crypto';
 import Conf from 'conf';
 
 const config = new Conf({
@@ -19,6 +20,14 @@ const config = new Conf({
     sessionId: {
       type: 'string',
       default: ''
+    },
+    accountUrl: {
+      type: 'string',
+      default: 'https://account.weldedanvil.com'
+    },
+    vaultAvailable: {
+      type: 'boolean',
+      default: false
     }
   }
 });
@@ -33,6 +42,8 @@ export function setApiKey(key) {
 
 export function clearApiKey() {
   config.delete('apiKey');
+  config.delete('sessionId');
+  config.set('vaultAvailable', false);
 }
 
 export function getApiUrl() {
@@ -57,12 +68,28 @@ export function setCaptureLevel(level) {
 export function getSessionId() {
   let sessionId = config.get('sessionId');
   if (!sessionId) {
-    sessionId = crypto.randomUUID();
+    sessionId = randomUUID();
     config.set('sessionId', sessionId);
   }
   return sessionId;
 }
 
+export function getAccountUrl() {
+  return config.get('accountUrl');
+}
+
+export function setAccountUrl(url) {
+  config.set('accountUrl', url);
+}
+
+export function isVaultAvailable() {
+  return config.get('vaultAvailable');
+}
+
+export function setVaultAvailable(available) {
+  config.set('vaultAvailable', available);
+}
+
 export function isLoggedIn() {
   return !!config.get('apiKey');
 }

package/src/lib/crypto.js

@@ -0,0 +1,39 @@
+import { createCipheriv, randomBytes } from 'crypto';
+
+function b64urlEncode(buffer) {
+  return Buffer.from(buffer)
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+}
+
+function b64urlDecode(str) {
+  let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+  while (base64.length % 4) base64 += '=';
+  return Buffer.from(base64, 'base64');
+}
+
+export function encryptPrompt(plaintext, keyBase64url) {
+  const key = b64urlDecode(keyBase64url);
+  if (key.length !== 32) {
+    throw new Error('Invalid vault key length');
+  }
+
+  const iv = randomBytes(12);
+  const cipher = createCipheriv('aes-256-gcm', key, iv);
+
+  const encoded = Buffer.from(plaintext, 'utf8');
+  const encrypted = Buffer.concat([cipher.update(encoded), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+
+  // AES-GCM ciphertext = encrypted + authTag (WebCrypto format)
+  const ciphertext = Buffer.concat([encrypted, authTag]);
+
+  return {
+    encrypted_content: b64urlEncode(ciphertext),
+    content_iv: b64urlEncode(iv),
+  };
+}
+
+export { b64urlEncode, b64urlDecode };

package/src/lib/device-transfer.js

@@ -0,0 +1,43 @@
+import { generateKeyPair, publicEncrypt, privateDecrypt, constants } from 'crypto';
+import { promisify } from 'util';
+import { b64urlEncode, b64urlDecode } from './crypto.js';
+
+const generateKeyPairAsync = promisify(generateKeyPair);
+
+/**
+ * Generate an RSA-OAEP 2048 keypair for device-transfer envelope encryption.
+ * Returns { publicKeySpkiB64url, privateKeyPem }.
+ */
+export async function generateTransferKeyPair() {
+  const { publicKey, privateKey } = await generateKeyPairAsync('rsa', {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: 'spki', format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+  });
+
+  return {
+    publicKeySpkiB64url: b64urlEncode(publicKey),
+    privateKeyPem: privateKey,
+  };
+}
+
+/**
+ * Decrypt a transfer payload encrypted with RSA-OAEP + SHA-256.
+ * @param {string} ciphertextB64url - base64url-encoded ciphertext
+ * @param {string} privateKeyPem    - PEM-encoded PKCS#8 private key
+ * @returns {string} base64url-encoded master key
+ */
+export function decryptTransfer(ciphertextB64url, privateKeyPem) {
+  const ciphertext = b64urlDecode(ciphertextB64url);
+
+  const plaintext = privateDecrypt(
+    {
+      key: privateKeyPem,
+      oaepHash: 'sha256',
+      padding: constants.RSA_PKCS1_OAEP_PADDING,
+    },
+    ciphertext,
+  );
+
+  return b64urlEncode(plaintext);
+}

package/src/lib/keychain.js

@@ -0,0 +1,80 @@
+import keytar from 'keytar';
+import { readFileSync, writeFileSync, unlinkSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+
+const SERVICE = 'promptcellar';
+const ACCOUNT = 'vault-master';
+
+// File-based fallback when keychain is locked/unavailable
+const FALLBACK_DIR = join(homedir(), '.config', 'promptcellar');
+const FALLBACK_FILE = join(FALLBACK_DIR, '.vault-key');
+
+function readFallback() {
+  try {
+    return readFileSync(FALLBACK_FILE, 'utf8').trim() || null;
+  } catch {
+    return null;
+  }
+}
+
+function writeFallback(value) {
+  mkdirSync(FALLBACK_DIR, { recursive: true, mode: 0o700 });
+  writeFileSync(FALLBACK_FILE, value, { mode: 0o600 });
+}
+
+function deleteFallback() {
+  try {
+    unlinkSync(FALLBACK_FILE);
+  } catch {
+    // ignore
+  }
+}
+
+export function createKeychainClient(service = SERVICE, account = ACCOUNT) {
+  return {
+    store: (keyB64url) => storeVaultKey(keyB64url),
+    load: () => loadVaultKey(),
+    clear: () => clearVaultKey(),
+  };
+}
+
+export async function storeVaultKey(keyB64url) {
+  try {
+    await keytar.setPassword(SERVICE, ACCOUNT, keyB64url);
+    return;
+  } catch {
+    // Keychain unavailable — use file fallback
+  }
+  writeFallback(keyB64url);
+}
+
+export async function loadVaultKey() {
+  try {
+    const val = await keytar.getPassword(SERVICE, ACCOUNT);
+    if (val) return val;
+  } catch {
+    // Keychain unavailable — try file fallback
+  }
+  return readFallback();
+}
+
+export async function clearVaultKey() {
+  try {
+    await keytar.deletePassword(SERVICE, ACCOUNT);
+  } catch {
+    // ignore
+  }
+  deleteFallback();
+}
+
+export async function requireVaultKey({
+  silent = false,
+  loadVaultKeyFn = loadVaultKey,
+} = {}) {
+  const key = await loadVaultKeyFn();
+  if (!key && !silent) {
+    throw new Error('Vault key missing. Run pc login to reauthorize.');
+  }
+  return key;
+}

package/src/lib/state.js

@@ -0,0 +1,61 @@
+import Conf from 'conf';
+
+const state = new Conf({
+  projectName: 'promptcellar',
+  configName: 'capture-state',
+  schema: {
+    threads: {
+      type: 'object',
+      default: {}
+    }
+  }
+});
+
+const MAX_AGE_MS = 24 * 60 * 60 * 1000; // 24 hours
+
+/**
+ * Get the last captured index for a thread.
+ * @param {string} threadId
+ * @returns {number}
+ */
+export function getLastCapturedIndex(threadId) {
+  const threads = state.get('threads');
+  return threads[threadId]?.lastIndex || 0;
+}
+
+/**
+ * Save the last captured index for a thread.
+ * @param {string} threadId
+ * @param {number} lastIndex
+ */
+export function saveLastCapturedIndex(threadId, lastIndex) {
+  const threads = state.get('threads');
+  threads[threadId] = {
+    lastIndex,
+    updatedAt: Date.now()
+  };
+  state.set('threads', threads);
+}
+
+/**
+ * Clean up stale thread entries older than maxAgeMs.
+ * @param {number} maxAgeMs - Default 24 hours
+ */
+export function cleanupStaleThreads(maxAgeMs = MAX_AGE_MS) {
+  const threads = state.get('threads');
+  const now = Date.now();
+  let changed = false;
+
+  for (const [threadId, data] of Object.entries(threads)) {
+    if (now - data.updatedAt > maxAgeMs) {
+      delete threads[threadId];
+      changed = true;
+    }
+  }
+
+  if (changed) {
+    state.set('threads', threads);
+  }
+}
+
+export default { getLastCapturedIndex, saveLastCapturedIndex, cleanupStaleThreads };

package/src/lib/websocket.js

@@ -3,7 +3,7 @@ import { getApiKey, getApiUrl, getSessionId } from './config.js';
 import { getFullContext } from './context.js';
 
 let socket = null;
-let reconnectTimer = null;
+
 
 export function connect(tool, onPromptReceived) {
   const apiKey = getApiKey();
@@ -47,7 +47,7 @@ export function connect(tool, onPromptReceived) {
   });
 
   socket.on('error', (data) => {
-    console.error('WebSocket error:', data.message);
+    console.error('WebSocket error:', data?.message || data || 'Unknown error');
   });
 
   socket.on('disconnect', (reason) => {
@@ -65,10 +65,6 @@ export function disconnect() {
     socket.disconnect();
     socket = null;
   }
-  if (reconnectTimer) {
-    clearTimeout(reconnectTimer);
-    reconnectTimer = null;
-  }
 }
 
 export function isConnected() {

package/tests/device-login.test.js

@@ -0,0 +1,121 @@
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import * as login from '../src/commands/login.js';
+
+const TEST_ACCOUNT_URL = 'https://account.test';
+
+describe('device login helpers', () => {
+  describe('requestDeviceCode', () => {
+    let originalFetch;
+
+    beforeEach(() => {
+      originalFetch = global.fetch;
+    });
+
+    afterEach(() => {
+      global.fetch = originalFetch;
+    });
+
+    it('includes transfer_public_key when provided', async () => {
+      const { requestDeviceCode } = login;
+      assert.equal(typeof requestDeviceCode, 'function', 'requestDeviceCode should be exported');
+
+      let capturedBody;
+      global.fetch = async (url, options) => {
+        capturedBody = JSON.parse(options.body);
+        return {
+          ok: true,
+          json: async () => ({
+            device_code: 'device-123',
+            user_code: 'user-456',
+            verification_url: 'https://example.com/device',
+            expires_in: 600,
+          }),
+        };
+      };
+
+      const data = await requestDeviceCode(TEST_ACCOUNT_URL, 'spki-key');
+
+      assert.equal(capturedBody.transfer_public_key, 'spki-key');
+      assert.ok(capturedBody.client_id, 'client_id should be set');
+      assert.equal(data.device_code, 'device-123');
+    });
+  });
+
+  describe('finalizeDeviceLogin', () => {
+    it('rejects when vault_transfer is missing', async () => {
+      const { finalizeDeviceLogin } = login;
+      assert.equal(typeof finalizeDeviceLogin, 'function', 'finalizeDeviceLogin should be exported');
+
+      await assert.rejects(
+        () => finalizeDeviceLogin({
+          approval: { access_token: 'token' },
+          privateKeyPem: 'private-key',
+          apiUrl: 'https://api.test',
+          deviceName: 'Test Device',
+          decryptTransferFn: () => 'key',
+          storeVaultKeyFn: async () => {},
+          exchangeTokenForApiKeyFn: async () => ({}),
+        }),
+        /vault transfer/i,
+      );
+    });
+
+    it('stores vault key before exchanging token', async () => {
+      const { finalizeDeviceLogin } = login;
+      assert.equal(typeof finalizeDeviceLogin, 'function', 'finalizeDeviceLogin should be exported');
+
+      const calls = [];
+      const approval = { access_token: 'token', vault_transfer: 'ciphertext' };
+
+      const result = await finalizeDeviceLogin({
+        approval,
+        privateKeyPem: 'private-key',
+        apiUrl: 'https://api.test',
+        deviceName: 'Test Device',
+        decryptTransferFn: () => {
+          calls.push('decrypt');
+          return 'master-key';
+        },
+        storeVaultKeyFn: async (key) => {
+          calls.push(['store', key]);
+        },
+        exchangeTokenForApiKeyFn: async (apiUrl, token, deviceName) => {
+          calls.push(['exchange', apiUrl, token, deviceName]);
+          return { api_key: 'api-key', email: 'user@example.com' };
+        },
+      });
+
+      assert.deepEqual(calls[0], 'decrypt');
+      assert.deepEqual(calls[1], ['store', 'master-key']);
+      assert.deepEqual(calls[2], ['exchange', 'https://api.test', 'token', 'Test Device']);
+      assert.equal(result.api_key, 'api-key');
+    });
+
+    it('does not exchange token when keychain store fails', async () => {
+      const { finalizeDeviceLogin } = login;
+      assert.equal(typeof finalizeDeviceLogin, 'function', 'finalizeDeviceLogin should be exported');
+
+      let exchangeCalled = false;
+      await assert.rejects(
+        () => finalizeDeviceLogin({
+          approval: { access_token: 'token', vault_transfer: 'ciphertext' },
+          privateKeyPem: 'private-key',
+          apiUrl: 'https://api.test',
+          deviceName: 'Test Device',
+          decryptTransferFn: () => 'master-key',
+          storeVaultKeyFn: async () => {
+            throw new Error('keychain failed');
+          },
+          exchangeTokenForApiKeyFn: async () => {
+            exchangeCalled = true;
+            return {};
+          },
+        }),
+        /keychain failed/i,
+      );
+
+      assert.equal(exchangeCalled, false);
+    });
+  });
+});